fcc298685a
- Resolves: RHEL-46607 kdc.crt certificate not getting automatically renewed by certmonger in IPA Hidden replica - Resolves: RHEL-46606 ipa-client rpm post script creates always ssh_config.orig even if nothing needs to be changed - Resolves: RHEL-46605 IPA Web UI not showing replication agreement for non-admin users - Resolves: RHEL-46592 [RFE] Allow IPA SIDgen task to continue if it finds an entity that SID can't be assigned to - Resolves: RHEL-46556 Include latest fixes in python3-ipatests packages - Resolves: RHEL-42705 PSKC.xml issues with ipa_otptoken_import.py Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
105 lines
4.1 KiB
Diff
105 lines
4.1 KiB
Diff
From a8e75bbb77e15e3a42adb2d30933cf9e1edd2f0b Mon Sep 17 00:00:00 2001
|
|
From: Thomas Woerner <twoerner@redhat.com>
|
|
Date: Tue, 11 Jun 2024 10:50:51 +0200
|
|
Subject: [PATCH] ipa_sidgen: Allow sidgen_task to continue after finding
|
|
issues
|
|
|
|
find_sid_for_ldap_entry could fail in several ways if a Posix ID can not
|
|
be converted to an unused SID. This could happen for example for ducplicate
|
|
IDs or user/group out of range.
|
|
|
|
This change enables ipa_sidgen_task to continue in the error case to try
|
|
to convert the entries without errors. The error messages have been
|
|
extended to additionally show the DN string for the bad entries.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9618
|
|
|
|
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
|
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
---
|
|
.../ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c | 11 ++++++-----
|
|
.../ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c | 11 ++++++++---
|
|
2 files changed, 14 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
|
|
index cb763ebf8c733e50483c23856a248eb536c796f1..13f4de5416606df1911f14f60ab1af1a8ba0184b 100644
|
|
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
|
|
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
|
|
@@ -491,7 +491,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
|
|
}
|
|
|
|
if (uid_number >= UINT32_MAX || gid_number >= UINT32_MAX) {
|
|
- LOG_FATAL("ID value too large.\n");
|
|
+ LOG_FATAL("ID value too large on entry [%s].\n", dn_str);
|
|
ret = LDAP_CONSTRAINT_VIOLATION;
|
|
goto done;
|
|
}
|
|
@@ -508,7 +508,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
|
|
&has_posix_group,
|
|
&has_ipa_id_object);
|
|
if (ret != 0) {
|
|
- LOG_FATAL("Cannot determine objectclasses.\n");
|
|
+ LOG_FATAL("Cannot determine objectclasses on entry [%s].\n", dn_str);
|
|
goto done;
|
|
}
|
|
|
|
@@ -522,15 +522,16 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
|
|
id = (uid_number != 0) ? uid_number : gid_number;
|
|
objectclass_to_add = NULL;
|
|
} else {
|
|
- LOG_FATAL("Inconsistent objectclasses and attributes, nothing to do.\n");
|
|
+ LOG_FATAL("Inconsistent objectclasses and attributes on entry "
|
|
+ "[%s], nothing to do.\n", dn_str);
|
|
ret = 0;
|
|
goto done;
|
|
}
|
|
|
|
ret = find_sid_for_id(id, plugin_id, base_dn, dom_sid, ranges, &sid);
|
|
if (ret != 0) {
|
|
- LOG_FATAL("Cannot convert Posix ID [%lu] into an unused SID.\n",
|
|
- (unsigned long) id);
|
|
+ LOG_FATAL("Cannot convert Posix ID [%lu] into an unused SID on "
|
|
+ "entry [%s].\n", (unsigned long) id, dn_str);
|
|
goto done;
|
|
}
|
|
|
|
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c
|
|
index 007b1c945d0e37c4061f6a33cfdd667c45118c99..67979cb9fb0b5560009643c84be7eb07d767d77f 100644
|
|
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c
|
|
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c
|
|
@@ -89,7 +89,7 @@ static void free_pblock(void *arg)
|
|
static int do_work(struct worker_ctx *worker_ctx)
|
|
{
|
|
Slapi_PBlock *pb;
|
|
- int ret;
|
|
+ int ret, failures = 0;
|
|
size_t c;
|
|
char *filter = NULL;
|
|
char *attrs[] = { OBJECTCLASS, UID_NUMBER, GID_NUMBER, NULL };
|
|
@@ -151,8 +151,7 @@ static int do_work(struct worker_ctx *worker_ctx)
|
|
worker_ctx->base_dn, worker_ctx->dom_sid,
|
|
worker_ctx->ranges);
|
|
if (ret != 0) {
|
|
- LOG_FATAL("Cannot add SID to existing entry.\n");
|
|
- goto done;
|
|
+ failures++;
|
|
}
|
|
|
|
if (worker_ctx->delay != 0) {
|
|
@@ -162,6 +161,12 @@ static int do_work(struct worker_ctx *worker_ctx)
|
|
}
|
|
};
|
|
|
|
+ ret = failures;
|
|
+ if (ret > 0) {
|
|
+ LOG_FATAL("Finished with %d failures, please check the log.\n",
|
|
+ failures);
|
|
+ }
|
|
+
|
|
done:
|
|
slapi_ch_free_string(&filter);
|
|
pthread_cleanup_pop(1);
|
|
--
|
|
2.45.2
|
|
|